Platform
php
Component
loris
Fixed in
27.0.4
28.0.1
CVE-2026-35169 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in LORIS, a self-hosted web application for neuroimaging research. This flaw allows attackers to inject malicious scripts or download arbitrary markdown files if a user is tricked into clicking a specially crafted link. The vulnerability impacts LORIS versions 27.0.0 through 28.0.0, excluding 28.0.1. A patch is available in version 27.0.3 and 28.0.1.
Successful exploitation of CVE-2026-35169 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the LORIS server. This can lead to session hijacking, data theft (including sensitive research data), and defacement of the LORIS interface. The ability to download arbitrary markdown files expands the attack surface, potentially allowing attackers to exfiltrate configuration files or other sensitive data stored on the server. The impact is amplified in environments where LORIS is used to manage highly sensitive neuroimaging data, as a successful attack could compromise the integrity and confidentiality of research findings.
CVE-2026-35169 was publicly disclosed on 2026-04-08. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature (reflected XSS) makes it relatively easy to exploit. The vulnerability is not currently listed on CISA KEV, and its EPSS score is pending evaluation. Active exploitation campaigns are not currently confirmed, but the ease of exploitation warrants proactive mitigation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35169 is to immediately upgrade LORIS to version 27.0.3 or 28.0.1. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious input in the help_editor module. Carefully review and sanitize all user-supplied input before rendering it in the LORIS interface. Monitor LORIS logs for suspicious activity, particularly requests containing unusual characters or patterns that could indicate an attempted XSS attack. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known payload and verifying that the script is not executed.
Actualice el módulo LORIS a la versión 27.0.3 o superior, o a la versión 28.0.1 o superior. Estas versiones corrigen la vulnerabilidad de XSS y la posibilidad de descarga de archivos markdown arbitrarios al no sanitizar correctamente las entradas del usuario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35169 is a reflected Cross-Site Scripting (XSS) vulnerability in LORIS, allowing attackers to inject malicious scripts or download arbitrary markdown files.
You are affected if you are running LORIS versions 27.0.0 through 28.0.0, excluding 28.0.1.
Upgrade LORIS to version 27.0.3 or 28.0.1. Consider WAF rules as a temporary mitigation.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the LORIS project's official website and security advisories for the latest information: [https://www.loris.dbmi.washington.edu/](https://www.loris.dbmi.washington.edu/)
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.